View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass: Advice needed on unmanaged switches behind access switch

This thread has been viewed 20 times
  • 1.  ClearPass: Advice needed on unmanaged switches behind access switch

    Posted Nov 18, 2022 04:21 AM
    Hi all,

    In our network environment we sometimes use un-managed switches to expand the number of acces ports at a workplace / desk.   
    The setup roughly looks like this: 

    Core Switch > Access switch > (patched to) Workplace > Unmanaged switch > Endpoint

    However, we are sometimes experiencing issue's with the unmanaged switches. For example, an endpoint connected to the unmanged switch authenticates fine for X times (roughly 10 auths), but stops working after 10x (for example). Only by resetting the unmanaged switch it starts working again. We currently use the TP-LINK TL-SG108 model, but also tried others. 

    I understand this can be caused by many reasons, but my question is: Are there any technical requirements for the unmanaged switch to function with colorless ports? 


  • 2.  RE: ClearPass: Advice needed on unmanaged switches behind access switch
    Best Answer

    Posted Nov 18, 2022 05:36 AM
    There are many reasons not to use unmanaged switches connected to an access switch, but main reasons not to use them with 802.1X are that the link up-down are tied to the MAC/802.1X authentication processes in the switch, and disconnected clients are not de-authenticated when they leave the network, you cannot do CoA port bounces, and clients on the unmanaged switch can freely communicate within the unmanaged switch. But you probably were aware of that. For reliability and monitoring, having unmanaged switches also is a nightmare. Avoid unmanaged switch at all cost if you want to have a stable environment, I've seen too many cases where unmanaged switches went mad or created network loops. What doesn't help there is that unmanaged switches are many times accessible by end-users, and those can do unpredictable things like putting a patch cable they don't need with both ends in the switch.

    For the 802.1X or MAC authentication, if it works depends mostly on the access switch that is configured to do authentication. From other posts I think you use Dell switches, and had other issues with like re-authentication with those. This may be the same. Unless the switch triggers a reauthentication (the switch configured to do port authentication to ClearPass), there will not be a reauthentication. If you see that there are no authentications after 10x, what is the authentication status on the switch port? And does the client have access, or is it blocked?

    The Access Switch will also need to support multiple authenticated clients on the same port (all clients behind the unmanaged switch are on the same port for the access switch), and not all switches handle that the same.

    I'm not aware of any technical requirements on unmanaged switches, except that you should avoid them, and they need to be 'transparent' for EAPoL (the 802.1X traffic between client and Access Switch).

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

  • 3.  RE: ClearPass: Advice needed on unmanaged switches behind access switch

    Posted Nov 20, 2022 05:18 PM
    What is the managed access switch?

  • 4.  RE: ClearPass: Advice needed on unmanaged switches behind access switch

    Posted Nov 29, 2022 10:28 AM
    We are using a Dell N2048P Managed Network switch